Lessons Learned from #ContiLeaks

Lessons Learned from #ContiLeaks

Blog | Cyber Threat Intel

Lessons Learned from #ContiLeaks

#ContiLeaks Lessons Learned

ContiLeaks Background

Over the last week, InfoSec Twitter has been set ablaze with #ContiLeaks. An individual, likely of Ukrainian origin or a sympathizer, was outraged by a post from Conti leadership declaring solidarity with Russia. The leaks started with Jabber discussions, a screenshot, and source code dumps. The individual behind the @ContiLeaks twitter account tweeted “Glory for Ukraine!” after four tweets containing the leaks.
These leaks give Cyber Security professionals around the world and specifically Cyber Threat Intel (CTI) analysts insight into the inner workings of the top Ransomware-as-a-Service (RaaS) operator.  Our CTI practice has been combing through the data looking for Indicators of Compromise (IOCs) and Indicators of Attack (IOAs) that would support our Managed Detection and Response (MDR) analysts as they hunt in our customer networks.  Here are the main lessons our CTI practice has learned over the last several days:
  • Conti operations were run very similar to a mature Small Business Start-Up.
  • The hacking techniques, employed by affiliates or “Pentesters”, are not novel.
  • Conti has good software development practices and leverages the latest software development capabilities. Conti’s intellectual property is their software.

Conti Operations

Contrary to the common belief that RaaS gangs are just a bunch of hackers in hoodies, Conti shows the reality that if you are going to participate in this space and be on top, you must have good business operations. The #ContiLeaks have showed us that Conti had a typical business structure. They were made up of roughly 70 employees which included the following departments: Human Resources, Leadership and Management, Research and Development, Reverse Engineers, 3rd Party Contractors, and Penetration Testers. It might surprise some to learn that Conti had proposal requests, a procurement process, and budgetary requirements. When one of the Penetration Testers needed a licensed piece of software, they submitted their request to a Technical Lead. This was then followed by Management with approvals and directions on where the money (cryptocurrency) would be transferred for purchasing. This process was the same for when Research and Development wanted to purchase enterprise security software and hardware for testing their software’s ability to go undetected or for bypassing these security tools.

Conti Hacking Techniques

A lot was already known about the Conti tools, techniques, and procedures (TTPs) however, with the #ContiLeaks more details have emerged that confirmed initial suspicions and information highlighted by researchers such as the DFIR report. This includes how Conti conducted reconnaissance, gained initial access, moved laterally in networks, persisted, and ultimately reached their goal of exfiltration and encrypting their target’s workstations and servers. Much of what was in Conti’s arsenal of tooling came from free and open-source software (FOSS), legitimate versions of Cobalt Strike, Proof of Concept (POC) code for known vulnerabilities found on GitHub, and other community-driven penetration testing projects and scripts; many of which are used by Ethical Penetration Testing practices today. Custom tooling from the group consisted mostly of automation scripts (batch files, obfuscated PowerShell), custom dynamic link libraries (DLLs), portable executables (PEs), and other executables (EXEs) including the Ransomware itself.

Conti Software

It is in this area our CTI practice believes that the true capabilities of Conti reside. As with any small business start-up software company in Europe or the Americas, the employed development team followed modern day development practices. The development team leveraged the Agile method with Continuous Integration (CI) / Continuous Deployment (CD) pipelines. The chatlogs from the #ContiLeaks show they had “sprints” for different projects in development. Conti developers leveraged version control for their different code repositories through a self-hosted GitLab server running on the TOR network. When new projects were completed, fellow employees were directed to pull the latest git repo from GitLab for usage during operations. Furthermore, analysis of the leaked source code shows development by seasoned developers that knew exactly what they wanted to accomplish with their preferred languages (C++, Erlang, JavaScript, and others).

For further details and more in-depth technical information on this topic, please contact us at info@packetwatch.com.

Preparing for Cyber Threats Related to Tensions in Ukraine

Preparing for Cyber Threats Related to Tensions in Ukraine

Enterprise Threat Intelligence | Special Alert

Preparing for Cyber Threats Related to Tensions in Ukraine

TLP: WHITE

Summary

As events continue to deteriorate in Ukraine, the full geopolitical impact remains unclear, especially in the cyber realm. CISA (Cybersecurity and Infrastructure Security Agency) reports that while there are no specific or credible threats to the US at this time, Russia may consider taking retaliatory action in response to sanctions that may impact business and critical infrastructure in the US. Therefore, CISA and the global intelligence community recommend organizations adopt a heightened, vigilant posture and immediately take additional steps to harden defenses and improve resiliency. PacketWatch is providing actionable steps organizations can take to safeguard themselves during this time.

RECOMMENDED ACTIONS:

  • Be prepared for possible disruptions.
  • Adopt a heightened cyber posture.
  • Increase organizational readiness and vigilance.

(CISA/FBI/NSA)

Enterprise Threat Intelligence | Special Alert

Background

The Russian government has a proven history of escalating and taking actions to destabilize its perceived adversaries outside of their initially targeted country. The Russian government has demonstrated ability to conduct hybrid warfare combining kinetic and cyber elements for maximum disruption. The Russian government may conduct these cyber activities by its military units, through its intelligence organizations or more commonly through sponsored advanced persistent threat (APT) actors.

Historically, these APT actors have used common yet effective tactics to gain initial access to targeted networks including spear phishing, brute-force attacks, and exploits of common vulnerabilities. These APT actors utilize sophisticated tradecraft and advanced cyber capabilities to compromise third-party software and infrastructure and by developing and deploying custom malware. Typically, these actors maintain persistent, undetected, long-term access in a compromised network and cloud environments often using legitimate credentials.

Steps to Take

Based on knowledge of historical TTPs utilized by these APT actors, organizations should take the following steps to increase organizational readiness:

  • Enhance network monitoring and visibility
    • Network Egress Points
      • Monitor network perimeter egress points; examine outbound traffic for signs of anomalous activity (ports, locations, protocols).
      • Restrict what ports/services can communicate to external resources.
    • Network Ingress
      • Geo-block where possible but understand limitations and downstream impacts.
      • Ensure only assets serving specific business purposes are publicly exposed to the internet.
    • Monitor egress and ingress communication from computer assets in the DMZ.
  • Internal Network Hardening
    • Network Segmentation
      • Enforce strong segmentation between network zones to contain traffic.
      • Restrict endpoint-to-endpoint communication.
        • Monitor east – west traffic for anomalous activity.
      • Restrict BYOD assets from access to production networks.
    • Know your assets and what they access; Identify everything
      • Update your inventory survey of hardware and software assets.
      • Review your application control list.
      • Hunt for unmanaged assets.
    • Validate Security Controls
      • Focus on updated controls for Endpoint, Server, Cloud security and Access Management.
  • Harden Identity and Access Management practices
    • Align and enforce password policies using an applicable framework/standard.
    • Unprivileged users should not have privileged access, audit access and permissions.
    • Implement Multi-Factor Authentication (MFA) across all networks, systems, applications, and resources.
  • Ensure Vulnerabilities are identified and patched
    • Scan for open vulnerabilities and patch/mitigate as directed.
    • Update Vendor Solutions, Open-Source Software, and Operating Systems.
    • Isolate vulnerable legacy systems.
  • Ensure Proper Logging
    • Increase levels of logging and ensure proper collection retention — especially on endpoints, servers, network devices and Cloud services.
    • Review access logs for suspicious activity and impossible logons.
    • Monitor for abused or malformed access tokens.
    • Adopt best practices securing cloud services.
  • Test and plan for improved resiliency
    • Review / rehearse / test
      • Continuity of Operations Planning (COOP) plans.
      • Business Continuity / Disaster Recovery (BC/DR) plans.
      • Incident Response (IR) plans.
    • Ensure adequate staffing for longer duration workloads.
    • Anticipate service disruptions and supply chain impacts.
    • Establish alternate providers for mission critical services / providers.
  • Reach out for assistance if needed
    • Contact experienced security professionals for assistance in testing or implementing the above recommendations.
    • If you believe you have been impacted already, contact your local FBI field office.

Recent Developments

On the morning of February 25th, 2022, the Conti ransomware team sent out a warning on their news page announcing the full support of the Russian government saying:  

“The Conti Team is officially announcing a full support of Russian government. If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructures of an enemy. [sic]”

Conti is Ransomware-as-a-Service that has been used against major corporations and government agencies in North America. In typical ransomware attacks, the actors exfiltrate files, encrypt servers and workstations, and demand a ransom payment. 

Assistance

State-sponsored Russian APT actors are extremely proficient at their trade. Experienced security professionals are available to help. Additional resources are also available from CISA, the FBI, NSA, and others. Although this may seem overwhelming, you need to act now to protect your organization. If you need clarification or assistance in adopting any of the recommendations above, please contact us at info@packetwatch.com or visit PacketWatch at https://packetwatch.com. A member of our team will follow up with you.

Stay tuned.

——————/-

INFORMATION PRODUCT CAVEAT: The information in this product is provided “as-is.” It is not yet finally evaluated intelligence and should be considered raw information that is provided strictly for situational awareness, give what is known at this time.